
Office 



n 
o 

% 



CERTIFIED COPY OF 
PRIORITY DOCUMENT 



INVESTOR IN PEOPLE 



The Patent Office 
Concept House 
Cardiff Road 
Newport 
South Wales 
NP10 8QQ 



o 
i- 

.CO 

0\O\ s 
OIC3 S 

u = 



I, the undersigned, being an officer duly authorised in accordance with Section 74(1) and (4) 
of the Deregulation & Contracting Out Act 1 994 , to sign and issue certificates on behalf of the 
Comptroller-General, hereby certify that annexed hereto is a true copy of the documents as 
originally filed in connection with the patent application identified therein. 



In accordance with the Patents (Companies Re-registration) Rules 1982, if a company named 
in this certificate and any accompanying documents has re-registered under the Companies Act 
1980 with the same name as that with which it was registered immediately before re- 
registration save for the substitution as, or inclusion as, the last part of the name of the words 
"public limited company" or their equivalents in Welsh, references to the name of the company 
m this certificate and any accompanying documents shall be treated as references to the name 
with which it is so re-registered. 



n accordance with the rules, the words "public limited company" may be replaced by p.l.c, 
lc, P.L.C. or PLC. 



egistration under the Companies Act does not constitute a new legal entity but merely 
cts the company to certain additional company law rules. 



Signed 
Dated 06 June 2000 




THIS PAGE BLANK (usptoj 



EXPRESS MAIL NO. ELO 5 2 8 2 9 7 4 2 US 



IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

Applicants: James Thomas Edward 
MCDONNELL, et al . 



Serial No.: Not yet assigned 

Filed: Concurrently herewith 

For: " PROVIDING LOCATION DATA 
ABOUT A MOBILE ENTITY" 



Our Ref: B-4110 618604-0 £S HS 



Date: March 23, 2001 



CLAIM TO PRIORITY UNDER 35 U.S.C. 119 

Commissioner of Patents and Trademarks 
Box New Patent Application 
Washington, D.C. 20231 

Sir: 

[X] Applicants hereby make a right of priority claim under 35 
U.S.C. 119 for the benefit of the filing date(s) of the 
following corresponding foreign application (s) : 

COUNTRY FILING DATE SERIAL NUMBER 

United Kingdom 25 March 2000 0007266.0 

[ ] A certified copy of each of the above-noted patent 

applications was filed with the Parent Application 

No. . 

[X] To support applicants' claim, a certified copy of the above- 
identified foreign patent application is enclosed herewith. 

[ J The priority document will be forwarded to the Patent Office 
when required or prior to issuance. 

Respectfully submitted, 



Ross A. Schmitt 
Attorney for Applicant 
Reg. No. 42,529 



LADAS Sc. PARRY 

5670 Wilshire Boulevard 

Suite 2100 

Los Angeles, CA 90036 
Telephone: (323) 934-2300 
Telefax: (323) 934-0202 



THIS PAGE BLANKS 



Patents Form 1/77 

Patents Act 1977 



Office 



m 



Request for grant of a patent 

(See the notes on the back of this farm. You can also get an 
explanatory leaflet Bom the Patent Office to help you Gil in 
this form) 



„ f „ „ .Mm E524548-1 D01A63 

| THEr-AlfcNt urriw^^ o.oo-ooo?266.^ e p atent0ffice 



I 25 MAR 2000 

I RECEIVED BY POST] 



Cardiff Road 
Newport 
Gwent NP9 1RH 



1. Your reference 



30003026GB1 



2. Patent application number 

(The Patent Office will fill in this part} 



0007266.0 



(WAR 2000 



3. Full name, address and postcode of the or of 

each applicant (underline all surnames) 



Patents ADP number (if you know it) 

If the applicant is a corporate body, give the 
country/state of its incorporation 



Hewlett-Packard Company 
3000 Hanover Street 
Palo Alto 
CA 94 3 04, USA 



Delaware 



4. Title of the invention 

Providing Location Data about a Mobile 
Entity 



5. Name of your agent (if you have one) 

"Address for service" in the United Kingdom 
to which all correspondence should be sent 
(Including the postcode) 



Robert F . Squibbs 

Hewlett-Packard Ltd, IP Section 
Filton Road 
Stoke Gifford 
Bristol BS34 8QZ 



Patents ADP number (if you know it) 



6. If you are declaring priority from one or more Country Priority application number Date of filing 

earlier patent applications, give the country (if you know it) (day / month /year) 

and the date of filing of the or of each of these 
earlier applications and (if you know it) the or 
each application number 



7. If this application is divided or otherwise 
derived from an earlier UK application, 
give the number and the filing date of 
the earlier application 



8. Is a statement of inventorship and of right 
to grant of a patent required in support of 
this request? (Answer 'Yes' if: 

a) any applicant named in part 3 is not an inventor, or Ye S 

b) there is an inventor who is not named as an 
applicant, or 

c) any named applicant is a corporate body. 
See note (d)) 

Patents Form 1/77 



Number of earlier application Date of filing 

(day / month /year) 



Patents Form 1/77 




9- Enter the number of sheets for any of the 
following items you are filing with this form. 
Do not count copies of the same document 


% 


Continuation sheets of this form 




Description 


18 


Claim (s) 


4 


Abstract 
Drawings 


i > < 

9 *°\ ^ 


10. If you are also filing any of the following, 
state how many against each item. 




Priority documents 




Translations of priority documents 




Statement of inventorship and right 
to grant of a patent (Patents Form 7/77) 




Rpou^st for nreliminarv examination 
and search (Patents Form 9/77) 


■ 1 


Request for substantive examination 
(Patents Form 10/77) 




Anv othf*r donitnpnts 

(please specify) 


Fee Sheet 


11. 


I/We request the grant of a patent on the basis of this application. 
Signature (f? f"" OllUikl^ r>atp <? U 1 02 J 

Robert Francis Squibbs 


1 2 . Name and daytime telephone number of 
person to contact in the United Kingdom 


Janet Smith, 0117-312-8026 



Warning 

After an application for a patent has been filed, the Comptroller of the Patent Office will consider whether publication 
or communication of the invention should be prohibited or restricted under Section 22 of the Patents Act 1977. You 
will be informed if it is necessary to prohibit or restrict your invention in this way. Furthermore, if you live in the 
United Kingdom, Section 23 of the Patents Act 1977 stops you from applying for a patent abroad without first getting 
written permission from the Patent Office unless an application has been filed at least 6 weeks beforehand in the 
United Kingdom for a patent for the same invention and either no direction prohibiting publication or 
communication has been given, or any such direction has been revoked. 

Notes 

a ) If you need help to fill in this form or you have any questions, please contact the Patent Office on 0645 500505. 

b) Write your answers in capital letters using black ink or you may type them. 

c) If there is not enough space for all the relevant details on any part of this form, please continue on a separate 
sheet of paper and write 'see continuation sheet" in the relevant part(s). Any continuation sheet should be 
attached to this form. 

d) If you have answered 'Yes* Patents Form 7/77 will need to be filed. 

e) Once you have filled in the form you must remember to sign and date it. 

f) For details of the fee and ways to pay please contact the Patent Office. 



Patents Form 1/77 



1 



Providing Location Data about a Mobile Entity 
Field of the Invention 

5 The present invention relates to the provision and use of location data concerning mobile 
entities. 

Background of the Invention 

Communication infrastructures suitable for mobile users (in particular, though not 
10 exclusively, cellular radio infrastructures) have now become widely adopted. Whilst the 
primary driver has been mobile telephony, the desire to implement mobile data-based 
services over these infrastructures, has led to the rapid development of data-capable bearer 
services across such infrastructures. This has opened up the possibility of many Internet- 
based services being available to mobile users. 

15 

By way of example, Figure 1 shows one form of known communication infrastructure for 
mobile users providing both telephony and data-bearer services. In this example, a mobile 
entity 20, provided with a radio subsystem 22 and a phone subsystem 23, communicates 
with the fixed infrastructure of GSM PLMN (Public Land Mobile Network) 10 to provide 

20 basic voice telephony services. In addition, the mobile entity 20 includes a data-handling 
subsystem 25 interworking, via data interface 24, with the radio subsystem 22 for the 
transmission and reception of data over a data-capable bearer service provided by the 
PLMN; the data-capable bearer service enables the mobile entity 20 to communicate with a 
service system 40 connected to the public Internet 39. The data handling subsystem 25 

25 supports an operating environment 26 in which applications run, the operating environment 
including an appropriate communications stack. 

More particularly, the fixed infrastructure 10 of the GSM PLMN comprises one or more 
Base Station Subsystems (BSS) 1 1 and a Network and Switching Subsystem NSS 12. Each 
30 BSS 11 comprises a Base Station Controller (BSC) 14 controlling multiple Base 
Transceiver Stations (BTS) 13 each associated with a respective "cell" of the radio 



network. When active, the radio subsystem 22 of the mobile entity 20 communicates via a 
radio link with the BTS 13 of the cell in which the mobile entity is currently located. As 
regards the NSS 12, this comprises one or more Mobile Switching Centers (MSC) 15 
together with other elements such as Visitor Location Registers 32 and Home Location 
5 Register 32. 

When the mobile entity 20 is used to make a normal telephone call, a traffic circuit for 
carrying digitised voice is set up through the relevant BSS 1 1 to the NSS 12 which is then 
responsible for routing the call to the target phone (whether in the same PLMN or in 
1 0 another network) . 

With respect to data transmission to/from the mobile entity 20, in the present example 
three different data-capable bearer services are depicted though other possibilities exist. A 
first data-capable bearer service is available in the form of a Circuit Switched Data (CSD) 

1 5 service; in this case a full traffic circuit is used for carrying data and the MSC 32 routes the 
circuit to an InterWorking Function IWF 34 the precise nature of which depends on what is 
connected to the other side of the IWF. Thus, IWF could be configured to provide direct 
access to the public Internet 39 (that is, provide functionality similar to an LAP - Internet 
Access Provider IAP). Alternatively, the IWF could simply be a modem connecting to a 

20 PSTN; in this case, Internet access can be achieved by connection across the PSTN to a 
standard IAP. 

A second, low bandwidth, data-capable bearer service is available through use of the Short 
Message Service that passes data carried in signalling channel slots to an SMS unit which 
25 can be arranged to provide connectivity to the public Internet 39. 

A third data-capable bearer service is provided in the form of GPRS (General Packet Radio 
Service which enables IP (or X.25) packet data to be passed from the data handling system 
of the mobile entity 20, via the data interface 24, radio subsystem 21 and relevant BSS 1 1 , 
30 to a GPRS network 1 7 of the PLMN 1 0 (and vice versa). The GPRS network 1 7 includes a 
SGSN (Serving GPRS Support Node) 18 interfacing BSC 14 with the network 17, and a 
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GGSN (Gateway GPRS Support Node) interfacing the network 17 with an external 
network (in this example, the public Internet 39). Full details of GPRS can be found in the 
ETSI (European Telecommunications Standards Institute) GSM 03.60 specification. Using 
GPRS, the mobile entity 20 can exchange packet data via the BSS 1 1 and GPRS network 
5 17 with entities connected to the public Internet 39. 

The data connection between the PLMN 1 0 and the Internet 39 will generally be through a 
firewall 35 with proxy and/or gateway functionality. 

10 Different data-capable bearer services to those described above may be provided, the 
described services being simply examples of what is possible. 

In Figure 1 , a service system 40 is shown connected to the Internet 40, this service system 
being accessible to the OS/application 26 running in the mobile entity by use of any of the 
15 data-capable bearer services described above. The data-capable bearer services could 
equally provide access to a service system that is within the domain of the PLMN operator 
or is connected to another public or private data network. 

With regard to the OS/application software 26 running in the data handling subsystem 25 
20 of the mobile entity 20, this could, for example, be a WAP application running on top of a 
WAP stack where "WAP" is the Wireless Application Protocol standard. Details of WAP 
can be found, for example, in the book "Official Wireless Application Protocol" Wireless 
Application Protocol Forum, Ltd published 1999 Wiley Computer Publishing. Where the 
OS/application software is WAP compliant, the firewall will generally also serve as a 
25 WAP proxy and gateway. Of course, OS/application 26 can comprise other functionality 
(for example, an e-mail client) instead of, or additional to, the WAP functionality. 

The mobile entity 20 may take many different forms. For example, it could be two separate 
units such as a mobile phone (providing elements 22-24) and a mobile PC (data-handling 
30 system 25) coupled by an appropriate link (wireline, infrared or even short range radio 
system such as Bluetooth). Alternatively, mobile entity 20 could be a single unit such as a 
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mobile phone with WAP functionality. Of course, if only data transmission/reception is 
required (and not voice), the phone functionality 24 can be omitted; an example of this is a 
PDA with built-in GSM data-capable functionality whilst another example is a digital 
camera (the data-handling subsystem) also with built-in GSM data-capable functionality 
5 enabling the upload of digital images from the camera to a storage server. 

Whilst the above description has been given with reference to a PLMN based on GSM 
technology, it will be appreciated that many other cellular radio technologies exist and can 
typically provide the same type of functionality as described for the GSM PLMN 10. 

10 

Recently, must interest has been shown in "location-based", "location-dependent", or 
"location-aware" services for mobile users, these being services that take account of the 
current location of the user (or other mobile party). The most basic form of this service is 

1 5 the emergency location service whereby a user in trouble can press a panic button on their 
mobile phone to send an emergency request-for-assistance message with their location data 
appended. Another well known location-based service is the provision of traffic and route- 
guiding information to vehicle drivers based on their current position. A further known 
service is a "yellow pages" service where a user can find out about amenities (shops, 

20 restaurants, theatres, etc.) local to their current location. The term "location-aware services" 
will be used herein to refer generically to these and similar services where a location 
dependency exists. 

Location-aware services all require user location as an input parameter. A number of 
25 methods already exist for determining the location of a mobile user as represented by an 
associated mobile equipment. Example location-determining methods will now be 
described with reference to Figures 2 to 5. As will be seen, some of these methods result in 
the user knowing their location thereby enabling them to transmit it to a location-aware 
service they are interested in receiving, whilst other of the methods result in the user's 
30 location becoming known to a network entity from where it can be supplied directly to a 
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location-aware service (generally only with the consent of the user concerned). It is to be 
understood that additional methods to those illustrated in Figures 2 to 5 exist. 



As well as location determination, Figures 2 to 5 also illustrate how the mobile entity 
5 requests a location-aware service provided by service system 40. In the present examples, 
the request is depicted as being passed over a cellular mobile network (PLMN 10) to the 
service system 40. The PLMN is, for example, similar to that depicted in Figure 1 with the 
service request being made using a data-capable bearer service of the PLMN. The service 
system 40 may be part of the PLMN itself or connected to it through a data network such 
10 as the public Internet. It should, however, be understood that infrastructure other than a 
cellular network may alternatively be used for making the service request 

The location-determining method illustrated in Figure 2 uses an inertial positioning system 
50 provided in the mobile entity 20A, this system 50 determining the displacement of the 

15 mobile entity from an initial reference position. When the mobile entity 20A wishes to 
invoke a location-aware service, it passes its current position to the corresponding service 
system 40 along with the service request 51. This approach avoids the need for an 
infrastructure to provide an external frame of reference; however, cost, size and long-term 
accuracy concerns currently make such systems unattractive for incorporation into mass- 

20 market handheld devices. 

Figure 3 shows two different location-determining methods both involving the use of local, 
fixed-position, beacons here shown as infra-red beacons IRD though other technologies, 
such as short-range radio systems (in particular, "Bluetooth" systems) may equally be used. 

25 The right hand half of Figure 3 show a number of independent beacons 55 that continually 
transmit their individual locations. Mobile entity 20B is arranged to pick up the 
transmissions from a beacon when sufficiently close, thereby establishing its position to 
the accuracy of its range of reception. This location data can then be appended to a request 
59 made by the mobile entity 20B to a location-aware service available from service 

30 system 40. A variation on this arrangement is for the beacons 55 to transmit information 
which whilst not directly location data, can be used to look up such data (for example, the 
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data may be the Internet home page URL of a store housing the beacon 55 concerned, this 
home page giving the store location - or at least identity, thereby enabling look-up of 
location in a directory service). 

5 In the left-hand half of Figure 3, the IRB beacons 54 are all connected to a network that 
connects to a location server 57. The beacons 54 transmit a presence signal and when 
mobile entity 20C is sufficiently close to a beacon to pick up the presence signal, it 
responds by sending its identity to the beacon. (Thus, in this embodiment, both the beacons 
54 and mobile entity 20C can both receive and transmit IR signals whereas beacons 55 

10 only transmit, and mobile entity 20B only receives, IR signals). Upon a beacon 54 
receiving a mobile entity's identity, it sends out a message over network 56 to location 
server 57, this message linking the identity of the mobile entity 20C to the location of the 
relevant beacon 54. Now when the mobile entity wishes to invoke a location-aware service 
provided by the service system 40, since it does not know its location it must include it's 

15 identity in the service request 58 and rely on the service system 40 to look up the current 
location of the mobile entity in the location server 57. Because location data is personal 
and potentially very sensitive, the location server 57 will generally only supply location 
data to the service system 40 after the latter has produced an authorizing token supplied by 
the mobile entity 20B in request 58. It will be appreciated that whilst service system 40 is 

20 depicted as handling service requests form both types of mobile entity 20 B and 20C, 
separate systems 40 may be provided for each mobile type (this is likewise true in respect 
of the service systems depicted in Figures 4 and 5). 

Figure 4 depicts several forms of GPS location-determining system. On the left-hand side 
25 of Figure 4, a mobile entity 20D is provided with a standard GPS module and is capable of 
determining the location of entity 20D by picking up signals from satellites 60. The entity 
20D can then supply this location when requesting, in request 61 , a location-aware service 
from service system 40. 

30 The right-hand side of Figure 4 depicts, in relation to mobile entity 20E, two ways in 
which assistance can be provided to the entity in deriving location from GPS satellites. 
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Firstly, the PLMN 10 can be provided with fixed GPS receivers 62 that each continuously 
keep track of the satellites 60 visible from the receiver and pass information in messages 
63 to local mobile entities 20E as to where to look for these satellites and estimated signal 
arrival times; this enables the mobile entities 20E to substantially reduce acquisition time 
5 for the satellites and increase accuracy of measurement (see "Geolocation Technology 
Pinpoints Wireless 911 calls within 15 Feet" l-Jul-99 Lucent Technologies, Bell Labs). 
Secondly, as an alternative enhancement, the processing load on the mobile entity 20E can 
be reduced and encoded jitter removed using the services of network entity 64 (in or 
accessible through PLMN 10). 

10 

One the mobile unit 20E has determined its location, it can pass this information in request 
65 when invoking a location-aware service provided by service system 40. 

Figure 5 depicts two general approaches to location determination from signals present in 
15 a cellular radio infrastructure. First, it can be noted that in general both the mobile entity 
and the network will know the identity of the cell in which the mobile entity currently 
resides, this information being provided as part of the normal operation of the system. 
(Although in a system such as GSM, the network may only store current location to a 
resolution of a collection of cells known as a "location area", the actual current cell ID will 
20 generally be derivable from monitoring the signals exchanged between the BSC 14 and the 
mobile entity). Beyond current basic cell ID, it is possible to get a more accurate fix by 
measuring timing and/or directional parameters between the mobile entity and multiple 
BTSs 13, these measurement being done either in the network or the mobile entity (see, for 
example, International Application WO 99/04582 that describes various techniques for 
25 effecting location determination in the mobile and WO 99/551 14 that describes location 
determination by the mobile network in response to requests made by location-aware 
applications to a mobile location center - server- of the mobile network). 

The left-hand half of Figure 5 depicts the case of location determination being done in the 
30 mobile entity 20F by, for example, making Observed Time Difference (OTD) 
measurements with respect to signals from BTSs 13 and calculating location using a 
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knowledge of BTS locations. The location data is subsequently appended to a service 
request 66 sent to service system 40 in respect of a location-aware service. The calculation 
load on mobile entity 20F could be reduced and the need for the mobile to know BTS 
locations avoided, by having a network entity do some of the work. The right-hand half of 
5 Figure 5 depicts the case of location determination being done in the network, for example, 
by making Timing Advance measurements for three BTSs 13 and using these 
measurements to derive location (this derivation typically being done in a unit associated 
with BSC 14). The resultant location data is passed to a location server 67 from where it 
can be made available to authorised services. As for the mobile entity 20C in Figure 3, 
10 when the mobile entity 20G of Figure 5 wishes to invoke a location-aware service 
available on service system 50, it sends a request 69 including an authorisation token and 
its ID (possible embedded in the token) to the service system 40; the service system then 
uses the authorisation token to obtain the current location of the mobile entity 20G from 
the location server 67. 

15 

In the above examples, where the mobile entity is responsible for determining location, this 
will generally be done only at the time the location-aware service is being requested. 
Where location determination is done by the infrastructure, it may be practical for systems 
covering only a limited number of users (such as the system illustrated in the left-hand half 

20 of Figure 2 where a number of infrared beacons 54 will cover a generally fairly limited) for 
location-data collection to be done whenever a mobile entity is newly detected by an IRB, 
this data being passed to location server 57 where it is cached for use when needed. 
However, for systems covering large areas with potentially a large number of mobile 
entities, such as the Figure 5 system, it is more efficient to effect location determination as 

25 and when there is a perceived need to do so; thus, location determination may be triggered 
by the location server 67 in response to the service request 68 from the mobile entity 20G 
or the mobile entity may, immediately prior to making request 68, directly trigger BSC 14 
to effect a location determination and feed the result to location server 67. 

30 Further with respect to the location servers 57, 67, whilst access authorisation by location- 
aware services has been described as being through authorisation tokens supplied by the 
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mobile entities concerned, other authorisation techniques can be used. In particular, a 
location-aware service can be prior authorised with the location server in respect of 
particular mobile entities; in this case, each request from the service for location data needs 
only to establish that the request comes from a service authorised in respect of the mobile 
5 entity for which the location data is requested. 

As already indicated, Figures 2 to 5 depict only some examples of how location 
determination can be achieved, there being many other possible combinations of 
technology used and where in the system the location-determining measurements are made 

10 and location is calculated, stored and used Thus, the location-aware service may reside in 
the mobile entity whose location is of interest, in a network-connected service system 40 
(as illustrated), or even in another mobile entity. Furthermore, whilst in the examples of 
Figures 2 to 5, invocation of the location-aware service has been by the mobile entity 
whose location is of interest, the nature of the location-aware service may be such that it is 

1 5 invoked by another party (including, potentially, the PLMN itself). In this case, unless the 
invoking party already knows the location of he mobile entity and can pass this 
information to the location-aware service (which may, for example, may be situation where 
the PLMN invokes the service), it is the location-aware service that is responsible for 
obtaining the required location data, either by sending a request to the mobile entity itself 

20 or by requesting the data from a location server. Unless the location server already has the 
needed information in cache, the server proceeds to obtain the data either by interrogating 
the mobile entity or by triggering infrastructure elements to locate the mobile. For 
example, where a location-aware service running on service system 40 in Figure 5 needs to 
find the location of mobile 20G, it could be arranged to do so by requesting this 

25 information from location server 67 which in turn requests the location data from the 
relevant BSC, the latter then making the necessary determination using measurements from 
BTSs 13. Figure 6 depicts the various possibilities discussed above. 

Although in the foregoing, the provision of location data through the mobile radio 
30 infrastructure to the mobile entity has been treated as a service effected over a data-capable 
bearer channel, it may be expected that as location data becomes considered a basic 



element of mobile radio infrastructure services, provision will be made in the relevant 
mobile radio standards for location data to be passed over a signalling channel to the 
mobile entity. 

5 It is an object to facilitate different ways of distributing and using location data whilst 
providing certain guarantees to participants. 

Summary of the Invention 

10 According to the present invention, there is provided a method of providing location data 
about a mobile entity, wherein the location data is provided in encrypted form by a location 
server to a recipient that is one of the mobile entity or a service system usable by the 
mobile entity, the location data being encrypted such that it can only to be decrypted using 
a secret available to a decryption entity that is not under the control of the recipient, 

1 5 whereby involvement of the decryption entity is necessary to decrypt the location data. 

According to another aspect of the present invention, there is provided a method of 
providing location data about a mobile entity from a location server to a service system, 
wherein: 

20 (a) in response to a request for location data about the mobile entity, the location server 
obtains the data, encrypts it in such a way that it can only to be decrypted using a 
secret known to a decryption entity associated with the location server, and sends out 
the encrypted location data; 
(b) the service system receives the encrypted location data and sends it to the decryption 

25 entity for decryption and return. 

Brief Description of the Drawings 

Methods and arrangements embodying the present invention will now be described, by 
30 way of non-limiting example, with reference to the accompanying diagrammatic drawings, 
in which: 
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. Figure 1 is a diagram of a known communications infrastructure usable for 

transferring voice and data to/from a mobile entity; 
. Figure 2 is a diagram illustrating one known approach to determining the location of 

a mobile entity, this approach involving providing the entity with an 
5 inertial positioning system; 

. Figure 3 is a diagram illustrating another known approach to determining the 

location of a mobile entity, this approach being based on proximity of the 

mobile entity to fixed-position local beacons; 
. Figure 4 is a diagram illustrating a further known approach to determining the 
10 location of a mobile entity, this approach involving the use of GPS 

satellites; 

. Figure 5 is a diagram illustrating a still further approach to determining the location 
of a mobile entity, this approach being based on the use of signals present 
in a cellular mobile radio communications system; 
15 . Figure 6 is a diagram illustrating various different routes by which location 
information can be provided to a service system; 
. Figure 7 is a diagram illustrating an embodiment of the invention in which a 

location server provides encrypted location data to a mobile entity; 
. Figure 8 is a diagram illustrating a decryption process carried out by a decryption 
20 entity of the Figure 7 embodiment; 

. Figure 9 is a diagram illustrating a further embodiment of the invention in which a 

location server provides encrypted location data to a service system; 
. Figure 10 is a diagram illustrating the provision of accuracy limit data to a location 
server to limit the accuracy of the location data returned by the server; 
25 . Figure 11 is a diagram illustrating a further embodiment of the invention in which a 
location server provides encrypted location data to a mobile entity; 
. Figure 12 is a diagram illustrating another embodiment of the invention in which a 

location server provides encrypted location data to a mobile entity; 
. Figure 13 is a diagram illustrating a still further embodiment of the invention in 
30 which a location server provides encrypted location data to a mobile entity; 
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* Figure 14 is a diagram illustrating a further embodiment of the invention in which a 

location server provides encrypted location data to a service system; 
. Figure 15 is a diagram illustrating another embodiment of the invention in which a 
location server provides encrypted location data to a service system; and 
5 . Figure 16 is a diagram illustrating a still further embodiment of the invention in 
which a location server provides encrypted location data to a service 
system; 

10 Best Mode of Carrying Out the Invention 

In the following description given with respect to Figures 7 to 16, the communication 
networks that provide inter-communication of the various system elements are not shown 
for reasons of clarity, these networks simply serving to permit data to be passed between 
the elements; the forms of the networks are, for example, as described above in relation to 

1 5 Figures 1 to 6. Furthermore, the generalisations discussed above in relation to the mobile 
entity, service system and location server apply equally to these elements as participating 
in the embodiments of the invention described below. Thus, for example, the service 
system can be connected to the public Internet 39, to the GPRS network 1 7 or to another 
fixed data network interfacing directly or indirectly with the network 1 7 or network 39. In 

20 addition, it should be noted that generally no distinction is made between the mobile entity 
and its user and references to the identity of the mobile entity should be understood as also 
applying to the identity of the user of the mobile entity. 

Figure 7 shows a first embodiment of the invention in which location data about a mobile 
25 entity 20 is provided by a location server 79 in encrypted form both to assist in keeping it 
confidential and to protect a billing relationship between participants; in addition, a 
mechanism is provided by which the user of a mobile entity can limit the accuracy of 
location data provided to a service system 40. More particularly, upon request (see arrow 
70) from mobile entity 20, location server 79 returns (arrow 71) the location L of the 
30 mobile entity in an encrypted package P (shown hatched to represent its encrypted form). 
Package P also contains an identifier for the mobile entity (for example, the public key of 
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a public/private asymmetric key pair associated with the mobile entity), and an indicator of 
the accuracy of the location data provided). 

The package P is encrypted such that it can only be decrypted using a secret known to a 
5 decryption entity 80 associated with the location server 79 (in Figure 7, two decryption 
entities 80 are shown, a first one co-located with the location server, and a second one 
separately located). The secret is, for example, the private key of a public/private key pair, 
the public key being used to encrypt the package P whilst the private key is kept secret to 
the decryption entities; alternatively, the secret could by a symmetric key known both to 
1 0 the location server and the decryption entities and used both for encryption and decryption. 
Whatever the form of the decryption secret, in the present embodiment it is intended to be 
unknown to the mobile entity 20 and the service system 40. 

The mobile entity 20 now supplies (arrow 72) the encrypted location data to a first service 
1 5 system 40 A with a request for a first location-aware service; because of privacy concerns, 
the user of the mobile entity does not want the service system to know his/her location with 
a high degree of accuracy and accordingly specifies an accuracy limit as a quality of 
service parameter in data package Q,. Package Q, also includes the identity of the service 
system 40 A and the period of validity of the request (for example, 10 minutes). Packages P 
20 and Q, are together digitally signed by mobile entity 20 using the private key of the user 
(the digital signature S is shown in Figure 7 as enclosing the packages P and Q, within a 
dotted box). As a result, the encrypted location data and the parameters contained in 
package Q x cannot be altered or substituted without this being detectable. 

25 Before the service system 40A can act upon the request from mobile entity 20, it must have 
the location data L decrypted by decryption entity 80; the decryption entity is such that it 
will not decrypt the location data unless also provided with package Q t protected by digital 
signature S - this is done so that the decryption entity can reliably limit the accuracy of the 
location data it returns to the level specified by the mobile entity. Accordingly, service 

30 system 40A next passes the digitally-signed packages P and Q I (arrow 73) to the entity 80; 
for security reasons, the connection between the service system 40A and decryption entity 
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80 is preferably an encrypted connection with authentication of the participating parties 
(for example, an SSL or TLS connection). 



Decryption entity 80 now proceeds to execute the steps shown in Figure 8: 
5 Step 8 1 - digitally-signed packages P and Q, are received from service system 40A over 
the secure authenticated link. 
Step 82 - the authenticity of the data contained in packages P and Q, is checked by using 
the digital signature S and the public key of mobile entity 20 in conventional 
manner - if authentication is not achieved, the decryption process is aborted 
10 and an error message returned to system 40A. 

Step 83 - the identity of the service system 40A as provided during the set up of the 
secure link between system 40A and entity 80 is checked against the service- 
system identity contained in the authenticate package Q, - if there is a 
mismatch the decryption process is aborted and an error message returned to 
1 5 system 40A. A check is also made that the decryption request from the system 

40A has been received within the validity time window specified in package Q, 
- if the request was received outside the period of validity, the decryption 
process is aborted and an error message returned to system 40A 
Step 84 - The package P is decrypted and a check made that the location data L it 
20 contains relates to the same mobile entity as signed the package Q, - if there is 

a mismatch in identity, the decryption process is aborted and an error message 
returned to system 40A 
Step 85 - The accuracy of the decrypted location data L is next compared with the 
specified accuracy limit contained in package Q, . If the specified accuracy limit 
25 is tighter than the accuracy of the available location data, no action is required 

to obscure the location data. However, if the accuracy of the available location 
data is higher that the specified accuracy limit, then the location data L is 
modified to make it less reliable. More particularly, the accuracy of the location 
data is decreased by combining with its components, additional components 
30 randomised over a range set by the difference between the known accuracy of 

the available location data and the specified accuracy level; for example, if the 
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location data is in the form of X, Y coordinates, then the aforesaid components 
are X and Y coordinate components of the mobile entity's location. 
Step 86 - The decrypted location data L, with accuracy limited to the level specified by 
the QoS parameter set by the mobile entity is then returned to the service 
5 system 40 A over the secure link (arrow 74 in Figure 7). 

Step 87 - Finally, the decryption entity 80 generates a billing record and passes it to 
billing system 78. 

The service system 40A now uses the location data L, to provide the location-aware 
1 0 service requested by mobile entity 20. 

The mobile entity 20 also uses the encrypted location data in package P to request (arrow 
75) a second location aware service from a second service system 40A, this time with a 
higher accuracy limit specified in package Q 2 . As with service system 40A, service system 
15 passes the digitally signed packages P and Q 2 to a decryption entity 80 (arrow 76) and 
receives back (arrow 77) the location data L 2 to the specified accuracy level; decryption 
entity 80 generates a billing record which it passes to billing system 78. The service system 
40B then uses the location data L 2 to provide the requested location aware service. 

20 The foregoing arrangement not only enables the mobile user to specify the limit of 
accuracy with which the service system can know the location of the mobile user, but also 
enables a billing relationship for location data to be established between the service 
systems 40 and the decryption entities 80. The mobile user is not directly charged for the 
location data and the service system operators can compete on the cost of the location 

25 data., for example, by doing special deals with the decryption entities. It may be expected 
that the billing of the location data will depend on the accuracy level set; to enable service 
system operators to compete on service level and price, it can be arranged that the service 
system can also specify an accuracy limit and the decryption entity will then comply with 
the lowest specified limit - a service system can then seek to provide a satisfactory service 

30 at a lower price because it is using less accurate data than a competitor. 
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It may be noted that the arrangement of Figure 7 permits the mobile entity to make service 
requests based on historic location data with billing still being done on the basis of actual 
usage of the location data, without any requirement for the location server to archive 
location data. 

5 

Figure 9 shows a variant of the Figure 7 arrangement in which the location server 79 sends 
the package P, not to the mobile entity 20, but to the service system 40 - this being done in 
response to a request generated by the service system 40 following the receipt of a service 
request from the mobile entity. Digitally-signed package Q is provided to the service 

10 system along with the service request. The system 40, upon receiving the package P, then 
passes both packages to the decryption entity. Decryption entity 80 operates as described 
above except that now only the package Q is digitally signed by mobile entity, not 
packages P and Q together. The provision of package P direct to the service system is 
secure in that system 40 cannot decrypt the package without the aid of the decryption 

15 entity and this latter checks whether the mobile entity has requested a service from the 
service system 40; however, as an extra precaution, the location server can be arranged to 
require the service system to pass it package Q which it must authenticate and match with 
the request details from system 40 before the location server provides package P. 

20 In the Figure 1 0 embodiment, the digitally-signed package Q provided by the mobile entity 
20 with a service request to the service system 40, is again passed by the service system to 
the location server. However, this time the location server simply provides the location 
data in unencrypted form but with an accuracy limit as specified in package Q. The checks 
carried out by the location server 79 on the basis of the digitally-signed package Q are the 

25 same as described above as being effected by the decryption entity (steps 82, 83 of Figure 
8). 

The embodiments of Figures 1 1 to 13 illustrate the advantages to be gained by encrypting 
the location data provided by the location server to the mobile entity where the latter is not 
30 enabled to decrypt the location data. The Figure 1 1 arrangement is similar to that of Figure 
7 except that the mechanism for the user to specify an accuracy limit has been omitted. 



17 

This arrangement nevertheless protects the billing relationship between the participants 
since the mobile entity cannot use the location information except with the involvement of 
decryption entity; the location server 79 (which is associated with entity 80) is thus 
remunerated by the service system whenever the location data is used. 

In the Figure 12 arrangement, it is the mobile entity that requests the decryption entity to 
decrypt the package P and provide back the location data to the mobile entity; the mobile 
entity then provides the decrypted location data to the service system. In this case, it is the 
mobile entity that is billed for the decryption of the location data. Although the package P 
is illustrated as being provided by the location server in response to a request from the 
mobile entity, package P could be pushed by the location server on a no-charge basis - the 
mobile entity only incurring a charge if the location data is decrypted for use. 

In the Figure 1 3 arrangement, the decryption entity 80 is associated with the service system 
rather than with the location server; the location server still encrypts package P such that 
the decryption entity can decrypt it (thus, the package P can be encrypted using the public 
key of the service system, the decryption entity then using the private key of the system 40 
to decrypt the package P). Thus, the operator of the service system may have contracted 
with the operator of the location server 79 that the latter will provide encrypted location 
data to mobile users - this data is, however, only of use in relation to services offered by 
the particular service system 40 concerned. 

The' embodiments of Figures 14 to 16 illustrate the advantages to be gained by encrypting 
the location data provided by the location server 79 to the service system 40 where the 
latter is not enabled to decrypt the location data. These advantages include protecting the 
confidentiality of the location data, particularly where the service system is a location 
archival or escrow system. 

The Figure 14 arrangement is similar to that of Figure 9 except that the mechanism for the 
user to specify an accuracy limit has been omitted. This arrangement nevertheless protects 
the billing relationship between the participants since the service system cannot use the 
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location data except with the involvement of decryption entity 80; the location server 79 
(which is associated with entity 80) is thus remunerated by the service system whenever 
the location data is used. One application of the Figure 14 arrangement is as a location 
archive or escrow for location data on the mobile entity - location data is periodically 
5 pushed by the location server to the archive/escrow system 40 and can subsequently be 
accessed to check historic location. Preferably, the decryption agent is operative only to 
decrypt the location data with appropriate authorisation from the user of the mobile entity. 

In the Figure 15 arrangement, it is the mobile entity that contacts the decryption entity to 
10 have the package P decrypted; in the illustrated example, the location data is initially 
pushed to the service system (again, this could be an archive / escrow system) and then 
when requested, the location data is passed to the mobile entity. 

In the Figure 16 arrangement, the decryption entity 80 is associated with the mobile entity 
15 rather than with the location server 79; the location server still encrypts package P for 
decryption by the decryption entity (thus, the package P can be encrypted using the public 
key of the mobile entity the decryption entity then using the private key of the entity 20 to 
decrypt the package P). 

20 As will be appreciated by persons skilled in the art, many variants are possible to the above 
described arrangements; in particular, the billing arrangements described are merely 
illustrative and, indeed, can in appropriate circumstances be omitted altogether. 
Furthermore, the auxiliary data provided with the location data in package P and with the 
desired accuracy limit in package Y can be omitted in appropriate cases. 
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CLAIMS 

1 . A method of providing location data about a mobile entity, wherein the location data is 
5 provided in encrypted form by a location server to a recipient that is one of the mobile 

entity or a service system usable by the mobile entity, the location data being encrypted 
such that it can only to be decrypted using a secret available to a decryption entity that is 
not under the control of the recipient, whereby involvement of the decryption entity is 
necessary to decrypt the location data. 

10 

2. A method according to claim 1 , wherein the encrypted location data is decrypted by the 
decryption entity with explicit or implicit authorisation by the mobile entity. 

3. A method according to claim 1 or claim 2, wherein the recipient is the mobile entity and 
15 the decryption entity is under the control of the location server or an agent of the latter. 

4. A method according to claim 3, wherein mobile entity passes the encrypted location 
data to a service system in association with a service request to the latter, the service 
system then passing the encrypted location data to the decryption entity for decryption and 

20 return 

5. A method according to claim 4, wherein the encrypted location data includes the 
identity of the mobile entity to which the location data relates, the mobile entity passing 
the service system authenticatable identity data concerning itself and the service system, 

25 and the service system passing the identity data to the decryption entity which 
authenticates the identity data and only returns the decrypted location data to the service 
system if both: 

- the mobile entity indicated by the identity data is the same as the one to which the 
location data relates, and 
30 - service system indicated by the identity data is the same as the one asking the 
decryption entity to decrypt the location data. 
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6. A method according to claim 3, wherein mobile entity passes the encrypted location 
data to the decryption entity for decryption and return. 

5 7. A method according to claim 1 or claim 2, wherein the recipient is the mobile entity and 
the decryption entity is a service system to which the mobile entity passes the encrypted 
location data in association with a service request. 

8. A method according to claim 1 or claim 2, wherein the recipient is the service system 
1 0 and the decryption entity is under the control of the location server or an agent of the latter. 

9. A method according to claim 8, wherein the service system passes the encrypted 
location data to the decryption entity for decryption and return, upon receipt of an 
authoring service request from the mobile entity. 

15 

10. A method according to claim 9, wherein the encrypted location data includes the 
identity of the mobile entity to which the location data relates, the mobile entity passing 
the service system authenticatable identity data concerning itself and the service system, 
and the service system passing the identity data to the decryption entity which 

20 authenticates the identity data and only returns the decrypted location data to the service 
system if both: 

- the mobile entity indicated by the identity data is the same as the one to which the 
location data relates, and 

- service system indicated by the identity data is the same as the one asking the 
25 decryption entity to decrypt the location data. 

11. A method according to claim 8, wherein the mobile entity obtains the encrypted 
location data from the service system and passes it to the decryption entity for decryption 
and return. 

30 
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12. A method according to claim 11, wherein the encrypted location data includes the 
identity of the mobile entity to which the location data relates, the mobile entity passing 
the decryption entity authenticatable identity data concerning itself, and the decryption 
entity authenticating the identity data and only returning the decrypted location data to the 

5 service system if the mobile entity indicated by the identity data is the same as the one to 
which the location data relates. 

13. A method according to claim 8, wherein the service system is a location-data archive 
system. 

10 

14. A method according to claim 1 or claim 2, wherein the recipient is the service system 
and the decrypting entity is the mobile entity, the latter having received the encrypted 
location data from the service system. 

15 15. A method according to claim 1 or claim 2, wherein involvement of the decryption 
entity to decrypt the location data results in the generation of a billing record. 

16. A method according to any one of the preceding claims, wherein the encrypted 
location data is passed to the decryption entity for decryption and the mobile entity sends 

20 the decryption entity, either directly or via the service system, quality of service data, QoS 
data, indicating a desired location accuracy, the decryption entity returning the decrypted 
location of the mobile entity to an accuracy determined by the QoS data. 

17. A method according to claim 16, wherein the mobile entity digitally signs the QoS 
25 data, and the decryption entity checks the authenticity of the QoS data on the basis of the 

mobile entity's digital signature. 

18. A method of providing location data about a mobile entity from a location server to a 
service system, wherein: 

30 (a) in response to a request for location data about the mobile entity, the location server 
obtains the data, encrypts it in such a way that it can only to be decrypted using a 
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secret known to a decryption entity associated with the location server, and sends out 
the encrypted location data; 

the service system receives the encrypted location data and sends it to the decryption 
entity for decryption and return. 
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ABSTRACT 
Providing Location Data about a Mobile Entity 

5 

Location data about a mobile entity (20) is provided in encrypted form by a location server 
(79) to a recipient that is one of the mobile entity (20) or a service system (40) usable by 
the mobile entity. The location data (P) is encrypted such that it can only to be decrypted 
using a secret available to a decryption entity (80) that is not under the control of the 
1 0 recipient. This permits location data (P) to be provided in a confidential manner to service 
systems (40) and also protects billing relationships between participants. A mechanism is 
also described for limiting the accuracy of decrypted location data (L) made available to a 
service system (40). 

15 (Fig. 7) 
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